How do four of Australia's largest government agencies protect their networks from attackers? To find out, ZDNet.com.au went to Canberra and spoke to the CIOs of Customs, Centrelink, Defence and the Australian Tax Office.
Protecting customer data, whether from leaks, external attack or internal misuse, is cited as the key security concern among four of Australia's largest government agencies: Centrelink, Defence, ATO and Customs.
"We are a very security conscious organisation, as you'd probably appreciate," said Customs CIO, Murray Harrison. "We have a lot of sensitive information."
Harrison, Australian Taxation Office CIO Bill Gibson, Centrelink CIO John Wadeson and Defence CIO Greg Farr all see data security as a significant threat, and one they are prepared to invest in.
In budget terms, security makes up anywhere between five and 20 per cent of IT expenditure among the agencies — five per cent in hard costs, the remainder in the way security is generally embedded among any ICT initiative they undertake.
"We incorporate that security thinking into everything we do, it's very pervasive," said Defense CIO, Greg Farr.
Bill Gibson, CIO of the Tax Office said the risk that keeps him awake at night is identity theft — which could allow rogue users to "masquerade or perform some fraudulent activity."
To tackle this issue, the ATO runs its IT infrastructure in such a way that very little data is ever held on a client device. Most, if not all sensitive data, is only available via access to a secured network. As an additional measure, laptops are protected by encryption.
"Any laptop that we take out of the office is fully encrypted and it's very difficult to break," said Gibson. Australia's Department of Defence is equally enamoured with encryption — its experience with the technology is strengthened via a history of running "secret networks" in parallel with its restricted networks.
"One of the things that we are looking at is how we are able to exchange information with our allies and the use of a public key infrastructure, which will be the main way of authentication," said Farr.
Customs is also keen on encryption, especially after investing in a major client refresh, which saw around half of its computer fleet go mobile.
"I don't know if we have two-factor or about four-factor security on the notebooks," said Customs CIO Murray Harrison — citing the use of Microsoft's BitLocker hard drive encryption and Vasco authentication tokens to complement traditional passwords.
Centrelink CIO John Wadeson says the agency also takes a very careful approach to system access from within its walls. The welfare agency is considering new security initiatives above and beyond the random number generator authentication it currently uses for staff to access systems — including contact-less smartcards and biometrics.
"Public confidence is just so important to us," said Wadeson. "You only need a couple of examples where people have been able to see records or access things. People will walk away totally from the online systems if they think that they can be compromised by using them."